The present invention relates generally to risk management generally, and more particularly, to methods and utilities for modeling risk information, such as risk information in the context of a business.
Business process models have become a ubiquitous tool for documenting, designing, and managing the core functions of an enterprise. The range of information that can be represented in process modeling software toolkits has steadily expanded beyond simple workflow representations to include information regarding process objectives and measures of process performance, oversight and control policies, and supporting resources. By representing these concepts in a standardized framework, business process models provide managers with insight and a common language to describe how their businesses operate and how they provide value to their customers and stakeholders.
Business process models are also seen as an integral tool for corporate governance and risk management. For many companies, process modeling has also become a legal requirement after the passage of regulatory legislation such as the Sarbanes-Oxley (SOX) Act. Such laws were passed in the wake of the accounting scandals and financial industry crises of the early 2000's, with a primary aim of ensuring that companies would enact the proper controls to reduce their operational risks. Other regulations, such as the Basel II accords, additionally require firms to measure and hold reserves against their operational risk exposures.
Currently, however, most risk management and quantification techniques are at best only loosely coupled with process modeling. Risk management techniques such as Failure Mode and Effect Analysis (FMEA) use business process models as a starting point for identifying and locating possible risk exposures, but do not document the risks themselves in the process models, or, use the process model relations explicitly in quantifying risks. To date, there have been few efforts made to formally integrate risk management concepts into a standard business process metamodel. For example, no standardized notation has emerged to express such notions as failure modes of resources, root cause events, and sources of execution failure and low job output quality directly in the context of process models.
Business process models represent the activities and participants that contribute to the achievement of specific value-generating objectives of a firm. Operational risks are a set of threats that jeopardize the achievement of those objectives. Current standards and frameworks for risk management require that business process models be used in order to help identify and assess various operational risks.
Currently, however, the metamodels that define the vocabulary of business process models do not include a sufficient vocabulary to capture and express all information that is relevant to identifying and quantifying operational risks.
Thus, it would be highly desirable to provide a system and method that addresses the need for more effective modeling of risk information in the context of business processes.
It would further be desirable to provide a system and method for extending the execution semantics of standard business process modeling languages in order to simulate the effects of risk events within business processes.